User Namespace in Red Hat Enterprise

Linux 7.2
June 25, 2016

Red Hat announced the availability of user namespace in RHEL 7.2 release notes, but they dont
give details on how to use them. By default in RHEL 7.2, user namespaces are disabled.

Verify if user namespace is enabled

You can run a quick check by executing the demo_userns.c program, that creates a child in new
user namespace. The child simply prints its effective user, groupd IDs and capabilities. If it runs
successfuly, then namespaces are already enabled for you. However, if it returns something like
clone: Invalid argument, then user namespaces are disabled.

You might need to install following libraries to run the demo_userns.c:

sudo yum install libcap-devel

Compile it using lcap:

gcc -lcap demo_ns.c -o demo_ns

Enable user namespace

To enable user namespace, you need to change one of the kernel parameters. You can do it by
running following command:

sudo grubby --args="user_namespace.enable=1" \

--update-kernel=/boot/vmlinuz-3.10.0-327.el7.x86_64

Note: you might need to change the version of vmlinuz executable.

Reboot the box.

Now you can verify by running demo_userns.c again and it should print user id, group id and
capabilities

eUID = 65534; eGID = 65534; capabilities: = cap_chown,cap_dac_override,

cap_dac_read_search, cap_fowner,cap_fsetid,cap_kill,cap_setgid,cap_setuid,
...

Till then.